예제 #1
0
        bool FindEncrypted()
        {
            var ep = module.EntryPoint;

            if (ep == null || ep.Body == null)
            {
                return(false);
            }
            if (!DotNetUtils.IsMethod(ep, "System.Void", "(System.String[])"))
            {
                return(false);
            }
            var initMethod = CheckCalledMethods(ep);

            if (initMethod == null || !new LocalTypes(initMethod).All(encryptedRequiredLocals))
            {
                return(false);
            }
            var resource = GetResource();

            if (resource == null)
            {
                return(false);
            }

            assemblyEncryptedResource = resource;
            return(true);
        }
예제 #2
0
        bool CheckInitMethod(MethodDef method)
        {
            if (method == null || !method.IsStatic || method.Body == null)
            {
                return(false);
            }
            if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
            {
                return(false);
            }
            var type = method.DeclaringType;

            if (type.NestedTypes.Count != 1)
            {
                return(false);
            }
            if (DotNetUtils.GetField(type, "System.Reflection.Assembly") == null)
            {
                return(false);
            }

            var resolveHandler = DeobUtils.GetResolveMethod(method);

            if (resolveHandler == null)
            {
                return(false);
            }

            initMethod    = method;
            resolverType  = type;
            handlerMethod = resolveHandler;
            return(true);
        }
예제 #3
0
        void Find(TypeDef type, ICflowDeobfuscator cflowDeobfuscator)
        {
            var additionalTypes = new List <string> {
                "System.IO.BinaryReader",
                "System.IO.FileStream",
                "System.Reflection.Assembly",
                "System.Reflection.Assembly[]",
                "System.String",
            };

            foreach (var method in type.Methods)
            {
                if (!DotNetUtils.IsMethod(method, "System.Reflection.Assembly", "(System.Object,System.ResolveEventArgs)"))
                {
                    continue;
                }
                if (!DecryptMethod.CouldBeDecryptMethod(method, additionalTypes))
                {
                    continue;
                }
                cflowDeobfuscator.Deobfuscate(method);
                if (!decryptMethod.GetKey(method))
                {
                    continue;
                }

                return;
            }
        }
예제 #4
0
        bool CheckCalledMethods(MethodDef checkMethod)
        {
            if (checkMethod == null || checkMethod.Body == null)
            {
                return(false);
            }

            foreach (var method in DotNetUtils.GetCalledMethods(module, checkMethod))
            {
                if (method.Name == ".cctor" || method.Name == ".ctor")
                {
                    continue;
                }
                if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()"))
                {
                    continue;
                }

                if (CheckResolverInitMethod(method))
                {
                    return(true);
                }
            }

            return(false);
        }
예제 #5
0
        MethodDef FindInt64Method()
        {
            if (type == null)
            {
                return(null);
            }
            foreach (var method in type.Methods)
            {
                if (!method.IsStatic || method.Body == null || method.HasGenericParameters)
                {
                    continue;
                }
                if (!DotNetUtils.IsMethod(method, "System.Int64", "()"))
                {
                    continue;
                }
                if (!FindInt64(method))
                {
                    continue;
                }

                return(method);
            }

            return(null);
        }
예제 #6
0
        static bool FindMod(MethodDef method, out ulong mod)
        {
            var instrs = method.Body.Instructions;

            for (int i = 0; i < instrs.Count - 1; i++)
            {
                var ldci8 = instrs[i];
                if (ldci8.OpCode.Code != Code.Ldc_I8)
                {
                    continue;
                }

                var call = instrs[i + 1];
                if (call.OpCode.Code != Code.Call)
                {
                    continue;
                }
                var calledMethod = call.Operand as IMethod;
                if (calledMethod == null)
                {
                    continue;
                }
                if (!DotNetUtils.IsMethod(calledMethod, "System.UInt64", "(System.UInt64,System.UInt64,System.UInt64)"))
                {
                    continue;
                }

                mod = (ulong)(long)ldci8.Operand;
                return(true);
            }
            mod = 0;
            return(false);
        }
예제 #7
0
        static MethodDef GetTheOnlyMethod(TypeDef type, string returnType, string parameters)
        {
            MethodDef foundMethod = null;

            foreach (var method in type.Methods)
            {
                if (!method.IsStatic || method.Body == null || method.HasGenericParameters)
                {
                    continue;
                }
                if (method.IsPrivate)
                {
                    continue;
                }
                if (!DotNetUtils.IsMethod(method, returnType, parameters))
                {
                    continue;
                }

                if (foundMethod != null)
                {
                    return(null);
                }
                foundMethod = method;
            }

            return(foundMethod);
        }
예제 #8
0
        public static MethodDef FindDecrypterMethod(MethodDef method)
        {
            if (method == null || method.Body == null)
            {
                return(null);
            }

            foreach (var instr in method.Body.Instructions)
            {
                if (instr.OpCode.Code != Code.Call)
                {
                    continue;
                }
                var calledMethod = instr.Operand as MethodDef;
                if (calledMethod == null || !calledMethod.IsStatic || calledMethod.Body == null)
                {
                    continue;
                }
                if (!DotNetUtils.IsMethod(calledMethod, "System.IO.MemoryStream", "(System.IO.Stream)"))
                {
                    continue;
                }

                return(calledMethod);
            }

            return(null);
        }
예제 #9
0
        void FindEncryptedResourceSet()
        {
            foreach (var type in module.Types)
            {
                if (type.Namespace != "")
                {
                    continue;
                }
                if (type.BaseType == null || type.BaseType.FullName != "System.Resources.ResourceSet")
                {
                    continue;
                }
                var ctor = type.FindMethod(".ctor");
                if (!DotNetUtils.IsMethod(ctor, "System.Void", "(System.Resources.IResourceReader)"))
                {
                    continue;
                }
                var method = type.FindMethod("GetDefaultReader");
                if (!DotNetUtils.IsMethod(method, "System.Type", "()"))
                {
                    continue;
                }
                if (method.Body == null || method.IsStatic || !method.IsVirtual)
                {
                    continue;
                }

                encryptedResourceSet_GetDefaultReader = method;
                encryptedResourceSetType = type;
                return;
            }
        }
예제 #10
0
		bool Find(MethodDef methodToCheck) {
			if (methodToCheck == null)
				return false;
			foreach (var method in DotNetUtils.GetCalledMethods(module, methodToCheck)) {
				var type = method.DeclaringType;

				if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()"))
					continue;
				if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "LoadLibrary") == null)
					continue;
				if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "GetProcAddress") == null)
					continue;
				Deobfuscate(method);
				if (!ContainsString(method, "debugger is activ") &&
					!ContainsString(method, "debugger is running") &&
					!ContainsString(method, "Debugger detected") &&
					!ContainsString(method, "Debugger was detected") &&
					!ContainsString(method, "{0} was detected") &&
					!ContainsString(method, "run under") &&
					!ContainsString(method, "run with") &&
					!ContainsString(method, "started under") &&
					!ContainsString(method, "{0} detected") &&
					!ContainsString(method, "{0} found"))
					continue;

				antiDebuggerType = type;
				antiDebuggerMethod = method;
				return true;
			}

			return false;
		}
예제 #11
0
        string GetMainResourceKey(MethodDef method, out MethodDef decryptAssemblyMethod)
        {
            foreach (var calledMethod in DotNetUtils.GetCalledMethods(module, method))
            {
                if (!calledMethod.IsStatic || calledMethod.Body == null)
                {
                    continue;
                }
                if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "(System.String[])"))
                {
                    continue;
                }

                DeobfuscateAll(calledMethod);
                string keyInfo = GetMainResourceKeyInfo(calledMethod, out decryptAssemblyMethod);
                if (keyInfo == null)
                {
                    continue;
                }
                return(BitConverter.ToString(new MD5CryptoServiceProvider().ComputeHash(new ASCIIEncoding().GetBytes(keyInfo))).Replace("-", ""));
            }

            decryptAssemblyMethod = null;
            return(null);
        }
예제 #12
0
        bool CheckCctor(MethodDef cctor)
        {
            var ldtokenType = GetLdtokenType(cctor);

            if (!new SigComparer().Equals(ldtokenType, cctor.DeclaringType))
            {
                return(false);
            }

            MethodDef initMethod = null;

            foreach (var method in DotNetUtils.GetCalledMethods(module, cctor))
            {
                if (DotNetUtils.IsMethod(method, "System.Void", "(System.Type)"))
                {
                    initMethod = method;
                    break;
                }
            }
            if (initMethod == null || initMethod.Body == null)
            {
                return(false);
            }

            return(true);
        }
예제 #13
0
            protected static MethodDef FindDecrypterMethod(TypeDef type)
            {
                MethodDef cctor = null, decrypterMethod = null;

                foreach (var method in type.Methods)
                {
                    if (!method.IsStatic || method.Body == null)
                    {
                        return(null);
                    }
                    if (method.Name == ".cctor")
                    {
                        cctor = method;
                    }
                    else if (DotNetUtils.IsMethod(method, "System.String", "(System.Int32)"))
                    {
                        decrypterMethod = method;
                    }
                    else
                    {
                        return(null);
                    }
                }
                if (cctor == null || decrypterMethod == null)
                {
                    return(null);
                }

                return(decrypterMethod);
            }
예제 #14
0
 EmbeddedResource FindGetManifestResourceStreamTypeResource(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
 {
     foreach (var method in type.Methods)
     {
         if (!method.IsPrivate || !method.IsStatic || method.Body == null)
         {
             continue;
         }
         if (!DotNetUtils.IsMethod(method, "System.String", "(System.Reflection.Assembly,System.Type,System.String)"))
         {
             continue;
         }
         simpleDeobfuscator.Deobfuscate(method);
         simpleDeobfuscator.DecryptStrings(method, deob);
         foreach (var s in DotNetUtils.GetCodeStrings(method))
         {
             var resource = DotNetUtils.GetResource(module, s) as EmbeddedResource;
             if (resource != null)
             {
                 return(resource);
             }
         }
     }
     return(null);
 }
예제 #15
0
        void Find(TypeDef type, ICflowDeobfuscator cflowDeobfuscator)
        {
            var additionalTypes = new List <string> {
                "System.IO.BinaryWriter",
            };

            foreach (var method in type.Methods)
            {
                if (!DotNetUtils.IsMethod(method, "System.Void", "(System.Int32[],System.UInt32[])"))
                {
                    continue;
                }
                if (!DecryptMethod.CouldBeDecryptMethod(method, additionalTypes))
                {
                    continue;
                }
                cflowDeobfuscator.Deobfuscate(method);
                if (!decryptMethod.GetKey(method))
                {
                    continue;
                }

                FindPatchData(type, cflowDeobfuscator);
                return;
            }
        }
예제 #16
0
        static MethodDef FindXxteaMethod(TypeDef type)
        {
            foreach (var method in type.Methods)
            {
                if (!method.IsPrivate || method.IsStatic || method.Body == null)
                {
                    continue;
                }
                if (DotNetUtils.IsMethod(method, "System.Void", "(System.UInt32[],System.UInt32[])"))
                {
                    if (!DeobUtils.HasInteger(method, 0x9E3779B9))
                    {
                        continue;
                    }
                }
                else if (DotNetUtils.IsMethod(method, "System.Void", "(System.UInt32[],System.UInt32[],System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32)"))
                {
                    // Here if 5.0. 0x9E3779B9 is passed to it as the last arg.
                }
                else
                {
                    continue;
                }
                if (!DeobUtils.HasInteger(method, 52))
                {
                    continue;
                }

                return(method);
            }
            return(null);
        }
예제 #17
0
        void FindPatchData(TypeDef type, ICflowDeobfuscator cflowDeobfuscator)
        {
            var locals = new List <string> {
                "System.Int32[]",
                "System.UInt32[]",
            };

            foreach (var method in type.Methods)
            {
                if (method.Attributes != MethodAttributes.Private)
                {
                    continue;
                }
                if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
                {
                    continue;
                }
                if (!new LocalTypes(method).Exactly(locals))
                {
                    continue;
                }
                cflowDeobfuscator.Deobfuscate(method);
                var patchInfo = GetPatchInfo(method);
                if (patchInfo == null)
                {
                    continue;
                }

                patchInfos.Add(patchInfo);
            }
        }
예제 #18
0
        public void Find()
        {
            var additionalTypes = new string[] {
                "System.Boolean",
            };

            foreach (var type in module.Types)
            {
                if (type.BaseType == null || type.BaseType.FullName != "System.Object")
                {
                    continue;
                }
                foreach (var method in type.Methods)
                {
                    if (!method.IsStatic || !method.HasBody)
                    {
                        continue;
                    }
                    if (!DotNetUtils.IsMethod(method, "System.Boolean", "(System.Int32)"))
                    {
                        continue;
                    }
                    if (!encryptedResource.CouldBeResourceDecrypter(method, additionalTypes))
                    {
                        continue;
                    }

                    encryptedResource.Method = method;
                    return;
                }
            }
        }
        static bool CheckDecrypterMethod(MethodDef method)
        {
            if (method == null || !method.IsStatic || method.Body == null)
            {
                return(false);
            }
            if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)"))
            {
                return(false);
            }
            if (!new LocalTypes(method).All(requiredLocalTypes))
            {
                return(false);
            }

            foreach (var instr in method.Body.Instructions)
            {
                if (instr.OpCode != OpCodes.Callvirt)
                {
                    continue;
                }
                var calledMethod = instr.Operand as IMethod;
                if (calledMethod != null && calledMethod.FullName == "System.IO.Stream System.Reflection.Assembly::GetManifestResourceStream(System.String)")
                {
                    return(true);
                }
            }
            return(false);
        }
예제 #20
0
        static MethodDef FindDecryptMethod(TypeDef type)
        {
            if (type == null)
            {
                return(null);
            }
            foreach (var method in type.Methods)
            {
                if (method.Body == null || !method.IsStatic || method.IsPrivate)
                {
                    continue;
                }
                if (!DotNetUtils.IsMethod(method, "System.String", "(System.UInt32)"))
                {
                    continue;
                }
                if (!DotNetUtils.CallsMethod(method, "System.String System.Runtime.InteropServices.Marshal::PtrToStringAnsi(System.IntPtr)"))
                {
                    continue;
                }

                return(method);
            }
            return(null);
        }
예제 #21
0
        static FieldDef FindDelegateField(TypeDef mainType, string returnType, string parameters)
        {
            foreach (var field in mainType.Fields)
            {
                var fieldSig = field.FieldSig;
                if (fieldSig == null)
                {
                    continue;
                }
                var fieldType = fieldSig.Type.ToTypeDefOrRef() as TypeDef;
                if (fieldType == null)
                {
                    continue;
                }
                if (fieldType.BaseType != null && fieldType.BaseType.FullName != "System.MulticastDelegate")
                {
                    continue;
                }
                var invokeMethod = fieldType.FindMethod("Invoke");
                if (!DotNetUtils.IsMethod(invokeMethod, returnType, parameters))
                {
                    continue;
                }

                return(field);
            }
            return(null);
        }
        static MethodDef CheckMethodsV30(TypeDef type)
        {
            if (type.Methods.Count < 1 || type.Methods.Count > 2)
            {
                return(null);
            }

            MethodDef decrypterMethod = null;
            MethodDef cctor           = null;

            foreach (var method in type.Methods)
            {
                if (method.Name == ".cctor")
                {
                    cctor = method;
                    continue;
                }
                if (decrypterMethod != null)
                {
                    return(null);
                }
                if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32,System.Int32,System.Int32)"))
                {
                    return(null);
                }
                decrypterMethod = method;
            }
            if (decrypterMethod == null || !decrypterMethod.IsStatic)
            {
                return(null);
            }
            return(decrypterMethod);
        }
예제 #23
0
        List <MethodDef> FindEfConstMethodCalls(MethodDef method)
        {
            if (method == null)
            {
                return(null);
            }
            var list = new List <MethodDef>();

            foreach (var instr in method.Body.Instructions)
            {
                if (instr.OpCode.Code != Code.Call)
                {
                    continue;
                }
                var calledMethod = instr.Operand as MethodDef;
                if (calledMethod == null || !calledMethod.IsStatic || calledMethod.Body == null)
                {
                    continue;
                }
                if (!DotNetUtils.IsMethod(calledMethod, "System.Int32", "()"))
                {
                    continue;
                }
                if (type.NestedTypes.IndexOf(calledMethod.DeclaringType) < 0)
                {
                    continue;
                }

                list.Add(calledMethod);
            }
            return(list);
        }
예제 #24
0
        public void Find()
        {
            var cctor = DotNetUtils.GetModuleTypeCctor(module);

            if (cctor == null)
            {
                return;
            }

            foreach (var method in DotNetUtils.GetCalledMethods(module, cctor))
            {
                if (method.Name == ".cctor" || method.Name == ".ctor")
                {
                    continue;
                }
                if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()"))
                {
                    continue;
                }
                if (CheckType(method))
                {
                    break;
                }
            }
        }
예제 #25
0
        bool InitializeInfos(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
        {
            if (handlerMethod == null)
            {
                return(true);
            }

            foreach (var method in resolverType.Methods)
            {
                if (!method.IsStatic || method.Body == null)
                {
                    continue;
                }
                if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
                {
                    continue;
                }
                if (!DeobUtils.HasInteger(method, ':') || !DeobUtils.HasInteger(method, '|'))
                {
                    continue;
                }

                simpleDeobfuscator.Deobfuscate(method);
                simpleDeobfuscator.DecryptStrings(method, deob);
                if (!InitializeInfos(method))
                {
                    continue;
                }

                return(true);
            }

            return(false);
        }
예제 #26
0
        public void Find()
        {
            foreach (var calledMethod in DotNetUtils.GetCalledMethods(module, DotNetUtils.GetModuleTypeCctor(module)))
            {
                if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "()"))
                {
                    continue;
                }
                if (calledMethod.DeclaringType.FullName != "<PrivateImplementationDetails>{F1C5056B-0AFC-4423-9B83-D13A26B48869}")
                {
                    continue;
                }

                nativeLibCallerType = calledMethod.DeclaringType;
                initMethod          = calledMethod;
                foreach (var s in DotNetUtils.GetCodeStrings(initMethod))
                {
                    nativeFileResource = DotNetUtils.GetResource(module, s);
                    if (nativeFileResource != null)
                    {
                        break;
                    }
                }
                return;
            }
        }
예제 #27
0
        void FindOverrideMethods()
        {
            foreach (var method in type.Methods)
            {
                if (!method.IsVirtual)
                {
                    continue;
                }
                if (DotNetUtils.IsMethod(method, "System.Void", "(System.IO.BinaryReader)"))
                {
                    if (readMethod != null)
                    {
                        throw new ApplicationException("Found another read method");
                    }
                    readMethod = method;
                }
                else if (!DotNetUtils.HasReturnValue(method) && method.MethodSig.GetParamCount() == 1)
                {
                    if (executeMethod != null)
                    {
                        throw new ApplicationException("Found another execute method");
                    }
                    executeMethod = method;
                }
            }

            if (readMethod == null)
            {
                throw new ApplicationException("Could not find read method");
            }
            if (executeMethod == null)
            {
                throw new ApplicationException("Could not find execute method");
            }
        }
예제 #28
0
        MethodDef GetAntiTamperingDetectionMethod(TypeDef type)
        {
            var requiredLocals = new string[] {
                "System.Reflection.Assembly",
                "System.Collections.Generic.Stack`1<System.Int32>",
            };

            foreach (var method in type.Methods)
            {
                if (!method.IsStatic || method.Body == null)
                {
                    continue;
                }
                if (!DotNetUtils.IsMethod(method, "System.Void", "(System.Type)"))
                {
                    continue;
                }
                if (!new LocalTypes(method).All(requiredLocals))
                {
                    continue;
                }
                if (!HasThrow(method))
                {
                    continue;
                }

                return(method);
            }
            return(null);
        }
예제 #29
0
        static bool CheckLzmaMethods(TypeDef type)
        {
            int methods = 0;

            foreach (var m in type.Methods)
            {
                if (m.IsStaticConstructor)
                {
                    continue;
                }
                if (m.IsInstanceConstructor)
                {
                    if (m.MethodSig.GetParamCount() != 0)
                    {
                        return(false);
                    }
                    continue;
                }
                if (!DotNetUtils.IsMethod(m, "System.UInt32", "(System.UInt32)"))
                {
                    return(false);
                }
                methods++;
            }
            return(methods == 1);
        }
예제 #30
0
        bool CheckCctor(MethodDef cctor)
        {
            foreach (var method in DotNetUtils.GetCalledMethods(module, cctor))
            {
                if (method.Name != "Startup")
                {
                    continue;
                }
                if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
                {
                    continue;
                }

                bool isOldTmp;
                if (!CheckType(method.DeclaringType, out runtimeModule1, out runtimeModule2, out isOldTmp))
                {
                    continue;
                }

                mcType = method.DeclaringType;
                isOld  = isOldTmp;
                return(true);
            }

            return(false);
        }